Why the UK's vote to leave the EU will have little effect on its data protection rules

Peter Sayer |
June 29, 2016

Why Brexit will have little effect on data protection?

One of its key provisions, for businesses at least, is that EU citizens' personal information may only be processed in countries offering a level of data protection at least equal to that afforded by EU law.

Since the UK's data protection regime will remain unchanged, for now, UK businesses can still process data for EU companies and citizens, and UK citizens will have the same protections if their data is exported to, say, the US.

Protection of EU citizens' data in the US has itself been called into question since the October 2015 decision by the Court of Justice of the EU to overturn the legal instrument providing that protection, the so-called Safe Harbor Agreement. EU and US officials are still negotiating the details of its replacement, Privacy Shield, which will also cover the UK until it formally leaves the EU.

The other EU data protection law of relevance to the UK is the General Data Protection Regulation (GDPR), voted in April 2016. This introduces harsher fines for companies breaching the rules - up to 4% of worldwide revenue - and seeks to harmonize those rules, eliminating national differences allowed under the Data Protection Directive.

Regulations begin life in the same way as directives, as compromise texts agreed upon by the Commission, Council and Parliament. After that, though, there's no time-consuming transposition into national laws: Regulations are directly applicable, and automatically enter effect after two years.

At first sight, that would suggest that UK citizens will benefit from, and UK businesses will be subject to, the effects of the GDPR from April 2018 through at least October 2018.

That, though, is without considering the exemptions from EU home affairs and justice legislation negotiated by the UK, Ireland and Denmark. The exemptions mean the GDPR will apply only partially in the UK up until October 2018.

But what then? Well, one of the innovations of the GDPR is that the rules applicable depend on the location of the data subject, so companies in the UK will still have to comply with it when processing EU citizens' data.

UK businesses might even choose voluntarily to follow EU data protection rules at all times, in order to hang on to their UK customers.

"It would make no sense at all for UK regulations to be any less stringent. Poor safeguards against loss, theft and misuse of data would ultimately cost UK business, as consumers and brands put their data elsewhere," said Richard Lack, EMEA director of sales at Gigya, which provides a visitor tracking and identification service for websites.

Following the EU data protection rules would be a good thing for UK businesses in other respects, according to Javvad Malik, security advocate at AlienVault, a security threat management company.